Oracle Blog

Thoughts from a Fat Bloke

Saturday Aug 18, 2007

When you initially install SGD (at least all versions up to the time of writing which is 4.31) the SGD webserver listens on port 80 and the SGD server listens on port 3144.
And the traffic between the client and the SGD server, both http and AIP is unencrypted.

So how do we secure the communications between client and server?

First we need an X.509 certificate

Normally you have to go can buy an X.509 certificate from people like Verisign.
Being tight, Fat Bloke uses a little known feature of SGD, which is a "self-signed certificate".
This certificate is useless in a production environment as it certifies nothing, but it is free .
To get a self-signed certificate you create a CSR (certificate signing request) as usual:

...and follow the instructions. But instead of sending this request off to Verisign, keep your money in your pocket and type:

# /opt/tarantella/bin/tarantella security selfsign

ignore the warnings and move on...

Start the SGD server in secure mode

The self signed certificate has automatically been placed in the /opt/tarantella/var/tsp directory and is used by SGD when you start it up using secure connections:

# /opt/tarantella/bin/tarantella security start

So now we have secure AIP connections on port 5307. But what about the web server connections?

Start the web server in secure mode

The webserver that is bundled with SGD (apache) has a preconfigured httpd.conf file that looks for certificates in the same place that SGD uses to store certificates. So all we need to do is start the webserver with ssl enabled:

# /opt/tarantella/bin/tarantella webserver restart --ssl

So now our web traffic and AIP traffic are using ssl on ports 443 and 5307 respectively.

In the next blog, we'll see how we can refine this deployment to work wholly over 443.